Component names in tickets not escaped properly
|Reported by:||Owned by:||Jonas Borgström|
|Severity:||minor||Keywords:||ticket component bug|
The symptom is that when editing a ticket in Trac 0.8, an incorrect component is selected. This happens when a component has a character (e.g. >) in its name that needs to be escaped in HTML.
A possible fix might be to wrap the
$selected variables on line 4 of source:/trunk/templates/macros.cs in the ClearSilver html_escape function, so that boths sides of the equality test are escaped in the same way. Unfortunately, my testing indicates that
html_escape() isn't available, despite what the ClearSilver docs suggest ("Unknown function html_escape called").
Alternatively, we could escape the values in source:/trunk/trac/Ticket.py (line 324) before they get put into the HDF. This might be more appropriate, but would involve digging further into
util.sql_to_hdf and so on.